The New Face of ID Management

This is supposed to be a big year for identity management. IDC thinks we might all be logging onto the corporate network with our Facebook logins. Wired Magazine has declared passwords dead. BYOD is forcing IT to integrate personal devices that are used outside of the office by multiple parties. And every hardware vendor seems to offer its own proprietary biometric scanner that no one ever uses.

Identity management is a mess, but it's an important mess. There's just too much sensitive data being aggregated online for criminals to ignore. So what does this mean to you in 2013?

Let's start with IDC. In late 2012, the company predicted "that many more enterprises, and the security software and services vendors that serve them, will use the identity management systems of Facebook, Google, Yahoo!, Microsoft, and other consumer social networks and cloud services as a new foundation for enterprise authentication." While this makes an interesting conversation starter, it's a non-issue for most enterprises. To be fair, the OAuth standard used by social networks has some pretty interesting features, but migrating to such a system doesn't solve the primary problem of keeping your data safe. This one is safe to ignore.

So what does keep your data safe? Passwords, the long-time bedrock of identity management. Wired Magazine's article brought up some important concerns about them. Faster computers, lazy users, and more efficient data sharing among criminals have made passwords almost trivial to circumvent. If bad guys with enough resources want in, nearly all consumer-accessible systems and the majority of corporate systems can be compromised. Forrester Research has some excellent ideas about mitigating risk without throwing the system away, but even they admit that, ultimately, passwords are insufficient. But are passwords going away? Not a chance. Users understand them, IT departments know how to manage them, and they're hardware-independent. Passwords are fine. They just need a boost.

And there's the real problem: single-factor authentication. Any system that relies on only one device is easy to dupe -- fake IDs have worked for decades. Adding a second authentication factor provides exponential security improvements, and forces criminals to expend a tremendous amount of effort. That's why bank cards require a PIN or a visual ID check at the point of sale. Two-factor authentication isn't perfect, as we learned from the Verizon employee who shipped his ID dongle to Chinese outsourcers. Still, it's a huge upgrade to traditional passwords, and if you're not using two-factor authentication (2FA), this is the year you should start.

What should your 2FA system look like? It's a bit murky, but think low-tech. Biometrics are out. Biometric scanners work reasonably well in retail locations (my gym has used a thumb print scan for more than a year now), but the economics of distributing hardware to a diverse workforce, syncing multiple device types, addressing privacy concerns, and supporting the whole system are a nightmare. For access to highly specific resources (e.g., a government lab or a specific piece of hardware), biometrics can make sense, but as an enterprise standard, don't expect to see it for years. There's also been a lot of talk about smart IDs. If you're based in Europe, this shows some promise, but the US is far from a solution. The federal government is working on a voluntary ID system, but it could be years before any products based on the standard hit the market, and a wave of privacy lawsuits is on its way.

Your security firm will have recommendations for what vets your situation best, but you're probably looking at distributing physical or virtual devices that generate unique, secondary passwords at user login. Activision Blizzard uses both physical and virtual (Android and iOS apps) 2FA for its Blizzard Authenticator program. Is there any reason a video game should have better security than your enterprise?

I do believe the mass adoption of biometrics is critical today as we have adopted social media. With the security and identity theft at a high rate, installing the proper biometrics to such sites according to standards will be beneficial. The worst scenarios are having your data compromised. Relying on strong passwords is good however further security measures that are even stronger is best for today's sites.

@Keith Agreed. I feel the same about the responsibility put on these kids at a young age. Our schools seem to take a very long time to deposit checks so it's takes a while before we learn a check has been lost. This is a scary thought for me. The system sounds like a dream. The most we can do is manage lunch account monies. Everything else is cash or checks...

It's funny you mention scrambling for cash at the last minute just as the bus pulls up. I did just that Friday morning!

@tinym school trip payments are not small sums of money these days and it is unfair for the kids to have that responsibility at a young age. Also, it is an unnecessary temptation to anyone that may easily be lead astray.

The online payment system is so good too.

When you make a payment for a specific trip it is allocated against that trip and the system generates a code that you can then write on the slip you send back saying your child can go. The teacher then knows payment has been made and it makes everyone's job easier. No more scrabbling around for cash just as they are about to leave for the school bus!!

@Keith that's good news. I'm glad it's not a system created only for school lunch payments. I like the idea of keeping cash and checks out of my kids' hands for school trips and whatnot. One of our kids (or maybe the teacher) recently lost a check meant for a school trip payment. I would have rather paid online!

@Sara- My experience with them is that they are touchy. If you press too hard and squash your thumb too much or don't squash it enough, they don't work. They easily get dirty and lost their abilit to scan properly.

i also have to take off my brass knuckles to use them. And sometimes even my Michael Jackson tribute glove if I forget to use the thumb i don't wear the glove on.

The blogs and comments posted on EnterpriseEfficiency.com do not reflect the views of TechWeb, EnterpriseEfficiency.com, or its sponsors. EnterpriseEfficiency.com, TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail: moderators@enterpriseefficiency.com

Dell's Efficiency Modeling ToolThe major problem facing the CIO is how to measure the effectiveness of the IT department. Learn how Dell’s Efficiency Modeling Tool gives the CIO two clear, powerful numbers: Efficiency Quotient and Impact Quotient. These numbers can be transforma¬tive not only to the department, but to the entire enterprise. Read the full report

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.

Office and personal productivity tools come in a first-class and coach flavor set, but what makes the difference is primarily little things that most users won't encounter. What's the big issue in using something other than Office, and can you get around it?

We really don't want an "Internet of Everything" but even building an Internet of Everythinguseful means setting some ground rules to insure there's value in the process and that costs and risks are minimized.

Google's Chrome OS has a lot of potential value and a lot of recent press, but it still needs something to make it more than a thin client. It needs cloud integration, it needs extended APIs via web services, and it needs to suck it up and support a hard drive.

On a recent African trip I saw examples of the value of the cloud in developing nations, for educational and community development programs. We could build on this, but not only in developing economies, because these same programs are often under-supported even in first-world countries.

VMware's debate with Cisco on SDN might finally create a fusion between an SDN view that's all about software and another that's all about network equipment. That would be good for every enterprise considering the cloud and SDN.

Wearing a bulky, oversized watch is good training for the next phase in wristwatches: the Internet-enabled, connected watch. Why the smartphone-tethered connected watch makes sense, plus Ivan demos an entirely new concept for the "smart watch."

Cloud storage costs are determined primarily by the rate at which files are changed and the possibility of concurrent access/update. If you can structure your storage use to optimize these factors you can cut costs, perhaps to zero.

The Internet has evolved into a machine for drumming up a chorus of "Happy Birthday" messages, from family, friends, friends of friends who you added on Facebook, random people that you circled on G+, and increasingly, automated bots. Enough already.